Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for automatically detecting security vulnerabilities in a client-server application where a client is connected to a server, the method implemented by a computer having a processor and a software program stored on a non-transitory computer readable medium, the method comprising: automatically extracting, with the software program at the client, a description of one or more validation checks on inputs performed by the client; analyzing the server, with the software program by using the one or more validation checks on inputs performed by the client, to determine whether the server is not performing validation checks that the server must be performing; and determining that security vulnerabilities in the client-server application exist when the server is not performing validation checks that the server must be performing.
2. The method of claim 1 , further comprising extracting, with the software program, a description of one or more validation checks on inputs performed by the server.
3. The method of claim 2 , further comprising comparing the one or more validation checks performed by the client with the one or more validation checks performed by the server.
4. The method of claim 3 , wherein comparing the one or more validation checks performed by the client with the one or more validation checks performed by the server includes determining whether validation performed by the server is less stringent than validation performed by the client.
5. The method of claim 1 , further comprising generating, with the processor, a report related to the security vulnerabilities of the client-server application.
6. The method of claim 1 , wherein analyzing the server further includes determining whether the server accepts inputs that are rejected by the one or more validation checks performed by the client.
7. The method of claim 6 , wherein determining whether the server accepts inputs that are rejected by the one or more validation checks performed by the client includes performing a probabilistic analysis of the responses generated by the server.
8. The method of claim 7 , wherein the probabilistic analysis includes: generating, with the software program, a first set of inputs that the server should accept and a second set of inputs that the server should reject; sending the first and the second sets of inputs to the server; ranking, with the software program, responses received from the server for the first set of inputs and responses received from the server for the second sets of inputs; and determining that the server is vulnerable when the server responses for the second set of inputs are similar to the server response for the first set of inputs.
9. The method of claim 6 , wherein determining whether the server accepts inputs that are rejected by the one or more validation checks performed by the client includes automatically analyzing the server code.
10. The method of claim 9 , wherein automatically analyzing the server code includes: generating, by using the description of the one or more validation checks performed by the client, one or more inputs that the server should accept; sending the one or more inputs that the server should accept to the server; analyzing, with the software program, whether the one or more inputs sent to the server perform a security sensitive operation on the server; extracting one or more validation checks performed by the server; comparing the one or more validation checks performed by the server with the one or more validation checks performed by the client; determining that a security vulnerability exits when the validation performed by the server is less stringent that the validation performed by the client; and generating, with the software program, one or more inputs that the server must reject.
11. The method of claim 1 , wherein the client-server application is a web application.
12. The method of claim 1 , wherein the client-server application is a mobile application.
13. The method of claim 1 , wherein the security vulnerabilities of the client-server application include parameter tampering.
14. The method of claim 2 , wherein the one or more validation checks on inputs performed by the server are extracted from a database connected to the server.
15. The method of claim 1 , further comprising preventing parameter tampering attacks on a running client-server application by enforcing, with the software program, the one or more validation checks on inputs extracted from the client on each input that is submitted to the server.
16. A system for automatically detecting security vulnerabilities in a client-server application, the system comprising: a client connected to a server; and a computer having a processor and a software program stored on a non-transitory computer readable medium, the software program being operable to: automatically extract, at the client, a description of one or more validation checks on inputs performed by the client, analyze the server, by using the one or more validation checks on inputs performed by the client, to determine whether the server is not performing validation checks that the server must be performing, and determine that security vulnerabilities in the client-server application exists when the server is not performing validation checks that the server must be performing.
17. The system of claim 16 , wherein the software program is further operable to extract a description of one or more validation checks on inputs performed by the server.
18. The system of claim 17 , wherein the software program is further operable to compare the one or more validation checks performed by the client with the one or more validation checks performed by the server.
19. The system of claim 18 , wherein comparing the one or more validation checks performed by the client with the one or more validation checks performed by the server includes determining whether validation performed by the server is less stringent than validation performed by the client.
20. The system of claim 16 , wherein the software program is further operable to generate, with the processor, a report related to the security vulnerabilities of the client-server application.
21. The system of claim 16 , wherein the software program is further operable to determine whether the server accepts inputs that are rejected by the one or more validation checks performed by the client.
22. The system of claim 21 , wherein the software program is further operable to perform a probabilistic analysis of the responses generated by the server.
23. The system of claim 22 , wherein during the probabilistic analysis the software program is operable to: generate a first set of inputs that the server should accept and a second set of inputs that the server should reject; send the first and the second sets of inputs to the server; rank responses received from the server for the first set of inputs and responses received from the server for the second sets of inputs; and determine that the server is vulnerable when the server responses for the second set of inputs are similar to the server response for the first set of inputs.
24. The system of claim 21 , wherein the software program is further operable to automatically analyze the server code.
25. The system of claim 24 , wherein during the automatic inspection of the server code the software program is operable to: generate, by using the description of the one or more validation checks performed by the client, one or more inputs that the server should accept; send the one or more inputs that the server should accept to the server; analyze whether the one or more inputs sent to the server perform a security sensitive operation on the server; extract one or more validation checks performed by the server; compare the one or more validation checks performed by the server with the one or more validation checks performed by the client; determine that a security vulnerability exits when the validation performed by the server is less stringent that the validation performed by the client; and generate, with the software program, one or more inputs that the server must reject.
26. The system of claim 17 , wherein the one or more validation checks on inputs performed by the server are extracted from a database connected to the server.
27. The system of claim 16 , wherein the system is further operable to prevent parameter tampering attacks on a running client-server application by operating the software program to enforce the one or more validation checks on inputs performed by the client on each input that is submitted to the server.
28. The system of claim 27 , wherein the software program is further operable to: generate a patch by analyzing a client side code of each client generated by the application; use the patch to prevent parameter tampering attempts when the client submits inputs to the server.
29. A method for preventing parameter tampering attacks on a running client-server application where the client is connected to the server, the method implemented by a computer having a processor and a software program stored on a non-transitory computer readable medium, the method comprising: automatically extracting, with the software program at the client, a description of one or more validation checks on inputs performed by the client; and enforcing the one or more validation checks on inputs performed by the client on each input that is submitted to the server.
30. The method of claim 29 , further comprising: generating a patch by analyzing a client side code of each client generated by the application; and using the patch to prevent parameter tampering attempts when a client submits inputs to the server.
31. The method of claim 30 , wherein generating the patch includes: intercepting server's communication with the client; inserting a unique identifier in the client; automatically extracting, with the software program, a description of one or more validation checks on inputs performed by the client; associating the unique identifier with the description of one or more validation checks on inputs performed by the client; and creating a patch for the client, wherein the patch includes the unique identifier with the description of one or more validation checks on inputs performed by the client.
32. The method of claim 31 , wherein prevent parameter tampering attempts includes: intercepting inputs submitted by the client before reaching the server; checking whether the unique identifier exists and matches the client; and checking whether the inputs satisfy the associate description of one or more validation checks on inputs performed by this client.
Unknown
August 25, 2015
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.